1
0
Fork 0

ci: replace deprecated workflow syntax and add trivy (#128)

This commit is contained in:
Robert Kaussow 2024-10-30 22:46:12 +01:00 committed by GitHub
parent f667989933
commit 6dbc41850a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 27 additions and 22 deletions

View file

@ -6,22 +6,30 @@ when:
- ${CI_REPO_DEFAULT_BRANCH}
steps:
- name: dryrun
- name: security-build
image: quay.io/thegeeklab/wp-docker-buildx:5
settings:
containerfile: Containerfile.multiarch
dry_run: true
platforms:
- linux/amd64
- linux/arm64
provenance: false
output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
repo: ${CI_REPO}
when:
- event: [pull_request]
- name: security-scan
image: docker.io/aquasec/trivy
depends_on: [security-build]
commands:
- trivy -v
- trivy image --input oci/${CI_REPO_NAME}
environment:
TRIVY_EXIT_CODE: "1"
TRIVY_IGNORE_UNFIXED: "true"
TRIVY_NO_PROGRESS: "true"
TRIVY_SEVERITY: HIGH,CRITICAL
TRIVY_TIMEOUT: 1m
TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
- name: publish-dockerhub
image: quay.io/thegeeklab/wp-docker-buildx:5
group: container
depends_on: [security-scan]
settings:
auto_tag: true
containerfile: Containerfile.multiarch
@ -42,7 +50,7 @@ steps:
- name: publish-quay
image: quay.io/thegeeklab/wp-docker-buildx:5
group: container
depends_on: [security-scan]
settings:
auto_tag: true
containerfile: Containerfile.multiarch

View file

@ -8,13 +8,11 @@ when:
steps:
- name: markdownlint
image: quay.io/thegeeklab/markdownlint-cli
group: test
commands:
- markdownlint 'README.md' 'CONTRIBUTING.md'
- name: spellcheck
image: quay.io/thegeeklab/alpine-tools
group: test
commands:
- spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
environment:
@ -22,18 +20,17 @@ steps:
- name: link-validation
image: docker.io/lycheeverse/lychee
group: test
commands:
- lychee --no-progress --format detailed README.md
- name: pushrm-dockerhub
image: docker.io/chko/docker-pushrm:1
secrets:
- source: docker_password
target: DOCKER_PASS
- source: docker_username
target: DOCKER_USER
depends_on: [markdownlint, spellcheck, link-validation]
environment:
DOCKER_PASS:
from_secret: docker_password
DOCKER_USER:
from_secret: docker_username
PUSHRM_FILE: README.md
PUSHRM_SHORT: Semantic versioning tool for git based on conventional commits
PUSHRM_TARGET: ${CI_REPO}
@ -45,10 +42,10 @@ steps:
- name: pushrm-quay
image: docker.io/chko/docker-pushrm:1
secrets:
- source: quay_token
target: APIKEY__QUAY_IO
depends_on: [markdownlint, spellcheck, link-validation]
environment:
APIKEY__QUAY_IO:
from_secret: quay_token
PUSHRM_FILE: README.md
PUSHRM_TARGET: quay.io/${CI_REPO}
when:

View file

@ -1,4 +1,4 @@
FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f as build
FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f AS build
ARG TARGETOS
ARG TARGETARCH